Severity by source
Network-reachable RSS fetch trigger; PR:L assumed as portlet URL configuration likely requires authenticated access; S:C reflects server-wide availability collapse from resource exhaustion.
Lifecycle Timeline
1Description PRE-NVD
AnalysisAI
Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The RSS feed portlet must be configured on a Plone site and pointed at a URL whose content the attacker can influence or control. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported severity of 9.1 critical is atypically high for a pure denial-of-service finding and warrants scrutiny before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or can redirect an external RSS feed URL fetched by a Plone site's RSS portlet serves a maliciously crafted feed document - for example, an XML payload designed to trigger deep recursion or explosive entity expansion. When any visitor loads a Plone page containing that portlet, the server fetches and attempts to parse the payload, consuming excessive CPU or memory until the Plone worker process is exhausted or killed, making the site unavailable. … |
| Remediation | Apply the updated plone.app.portlets package released in conjunction with the June 23, 2026 coordinated security advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Document all Plone instances in production, identify current versions, and disable untrusted RSS portlet sources where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today